Bandwidth Policies based on VLAN's

Unanswered Question
Sep 30th, 2008


Is it possible to create bandwidth policies based on VLAN ID ? What I try to figure out is to police the data send over an ethernet trunk. Voice needs to get 30% of the available bandwidth and the rest is for data. This must be configured on a Dot1q trunk connection..



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
satish_zanjurne Tue, 09/30/2008 - 05:39

I am not but ,access Lists does not match VLAN ID.

Instead you can match the IP Address/Subnet,DSCP,CoS in class-map.

1.Define access-list matching your vlan IP addresses

2.Define class-map to match access-list or CoS,DSCP.

3.Define policy-map , to either allocate the bandwidth

HTH..rate if helpful..

remco.gussen Tue, 09/30/2008 - 05:43

Do you have to connect the service policy to the layer 2 switch interface ? The connection between the two sites are not routed. It is a 100 Mb/s. layer 2 (trunked) connection....

Marwan ALshawi Tue, 09/30/2008 - 06:23

the following link is a case for bandwidth limitation based one VLANs i have addressed

might help u :

u may make the policy on the output direction or inputdirection on the other end of the trunk

if helpful Rate

remco.gussen Tue, 09/30/2008 - 23:11

I don't think this is going to work.. The interfaces are in layer 2 mode. So they don't care about ip addresses.. Maybe it is possible to make a match based on VLAN ID ??

Marwan ALshawi Wed, 10/01/2008 - 01:13

what switch model u use?

2950, and above even the port operate in L2 the switch has the L3/L4 intelegance

thuse u can make matching based on source IP or IP and port

remco.gussen Wed, 10/01/2008 - 01:18

A ring network with 60 ME 3400 switches and two 3750 switches in a stack...

Outbound policies are not possible on those switches ?

remco.gussen Wed, 10/01/2008 - 01:25

I think that you have to make the two Gigabit interfaces per ME3400 switch in the ring a "inbound" policy interface. Data can traverse the ring in two ways: To the left and to the right... Is it also possible to use the Match VLAN match command ?

Marwan ALshawi Wed, 10/01/2008 - 02:23

you cannot use policing in SVI-level policy map. This eliminates the possibility of having policer aggregating traffic rates for all ports in a single VLAN. However, you can still police per-port per-VLAN in the 3560 using the following feature.

Per-Port Per-VLAN Policing in the 3560

This feature uses second-level policy-maps. The second-level policy-map must list class-maps satisfying specific restrictions. The only “match” criterion supported in those class-maps is match input-interface. You can list several interfaces separated by spaces, or use interface ranges, separating interfaces in a range by hyphen. The only action supported in the second-level policy-map is the police command. As usual, you can drop exceeding traffic or configure traffic remarking using policed DSCP map. The police action applies individually to every port in the range.

You cannot use aggregate policers in the second-level policy-maps. Another restriction - if you apply a second-level policy-map (interface-level map) inside “class-default” it will have no effect. You need to apply the second-level policy-map inside user-defined classes.

The following example restricts IP traffic rate in VLAN146 on every trunk port to 128Kbps and limits the IP traffic in VLAN146 on the port connected to R6 to 256Kbps.

Example 6:

mls qos map policed-dscp 18 to 8


! For 2nd level policy you can only match input interfaces


class-map TRUNKS

match input-interface FastEthernet 0/13 - FastEthernet 0/21


! The second class-map matches a group of ports or a single port


class-map PORT_TO_R6

match input-interface FastEthernet 0/6


! IP traffic: ACL and class-map


ip access-list extended IP_ANY

permit ip any any


class-map IP_ANY

match access-group name IP_ANY


! Second-level policy-map may only police, but not mark



class TRUNKS

police 128000 16000 exceed policed-dscp-transmit

class PORT_TO_R6

police 256000 32000


! 1st level policy-map may only mark, not police

! VAN aggregate policing is not possible in the 3560


policy-map VLAN_POLICY

class IP_ANY

set dscp af21

service-policy INTERFACE_POLICY


interface Vlan 146

service-policy input VLAN_POLICY


! Enable VLAN-based QoS on the ports


interface FastEthernet 0/6

mls qos vlan-based


! Enable VLAN-based QoS


interface range FastEthernet 0/13 - 21

mls qos vlan-based

u can use the above idea and make each class as a VLAN network

if helpful Rate

remco.gussen Wed, 10/01/2008 - 02:43

What about this:

qos aggregate-policer aggr_vlan10 250000000 conform-action transmit exceed-action drop

qos aggregate-policer aggr_vlan20 250000000 conform-action transmit exceed-action drop

qos aggregate-policer aggr_vlan30 250000000 conform-action transmit exceed-action drop

qos aggregate-policer aggr_vlan40 250000000 conform-action transmit exceed-action drop

policy-map Shape_VLAN10

class class-default

police aggregate aggr_vlan10

policy-map Shape_VLAN20

class class-default

police aggregate aggr_vlan20

policy-map Shape_VLAN30

class class-default

police aggregate aggr_vlan30

policy-map Shape_VLAN40

class class-default

police aggregate aggr_vlan40

Interface Gi0/1

switchport trung encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 10,20,30,40,100,200

vlan range 10

service-policy output Shape_VLAN10

vlan range 20

service-policy output Shape_VLAN20

vlan range 30

service-policy output Shape_VLAN30

vlan range 40

service-policy output Shape_VLAN40

jcvassmer Mon, 11/24/2008 - 17:01

Give this a shot on the ME3400, it seems to work for me.

ME3400 pppv policng

class-map match-any Police10Mb-VLAN

match vlan 2180

class-map match-any Police20Mb-VLAN

match vlan 2123

policy-map 10mb-child-vlan

class class-default

police 11000000

exceed-action drop

policy-map 20mb-child-vlan

class class-default

police 20480000

exceed-action drop

policy-map parent-Trunkport

class police-10Mb-vlan

service-policy 10mb-child-vlan

class Police20Mb-VLAN

service-policy 20mb-child-vlan

interface GigabitEthernet0/15

description Trunk_link

port-type nni

switchport trunk allowed vlan 514,2180,2123

switchport mode trunk

service-policy input parent-Trunkport

load-interval 30

media-type sfp

speed nonegotiate


This Discussion